Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Jason Brvenik (jasonbetrusted.com)
Date: Fri Jan 04 2002 - 12:39:06 CST
SSL only requires the server side certificate to enable full encryption
of the transported data in any direction. The client cert really only
adds value by providing Strong authentication / authorization the SSL
protocol stands on it's own without it.
It works like this. ( in a very simplified way )
1) Client connects and requests the ssl session
2) Client inspects provided credentials for validitity.
3) Allow / Deny based on trust that is explicit or granted.
4) A symetric key is negotiated and exchanged using the public/private
keypair of the server certificate.
5) all communication is done with the symetric keys.
6) some time later ( or after a qualifying event ) the keys are
The major thing missing in this is trust. There is no trust that your
server is your server if the client cannot verify the issuing authority.
If you allow the SSL even though the client does not have the CA key
what is to stop the wiley hx0r d00d from creating a CA that looks and
feels like yours and then impersonating your server / replacing your
cert and gaining all access anyway?
If you would like more information please contact me directly at